Maintained by: NLnet Labs

[Unbound-users] Unexpected results - Unbound results don't match external DNS

Carsten Strotmann
Sun Jul 27 19:36:53 CEST 2014


Hello Patrick,

pcl-associates writes:

> Hi Carsten,
>
> Unfortunately, the issue is not limited to nslookup.  Here's what I
> get when I run the same dig command you did below.

Yes do not get what you've expected, but the dig output gives much
better information (see below).

>  Evidently
> something isn't right because my results should match yours. 

> In a
> separate email, Chris asked if I was using this as a forwarder or
> resolver.  I am using it as an authoritative, validating, recursive
> caching dns server as described here:
> https://calomel.org/unbound_dns.html.
>

That page is a little outdated (covers Unbound 1.4.9, current is
1.4.22). Also, you are probably running Unbound as a validating,
recursive caching DNS server, as Unbound is not designed to be an
authoritative server (that would be a NSD or BIND 9 or PowerDNS
...). The calomel.org websites just defines these DNS terms.

Could you share your "unbound.conf" with this list?

You have a forwarding server if you have configuration lines with
"forward-zone:" in your configuration. Usually it is recommended *NOT*
to use forwarding (instead, let your Unbound talk directly to the
authoritative DNS servers in the Internet), unless you have a good
reason to do so (network topology or firewall-policy).

> # dig 158.24.39.46.zen.spamhaus.org.
>
> ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22741
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;158.24.39.46.zen.spamhaus.org.	IN	A
>
> ;; AUTHORITY SECTION:
> zen.spamhaus.org.	3546	IN	SOA	need.to.know.only. hostmaster.spamhaus.org. 1407271350 3600 600 432000 150
>
> ;; Query time: 39 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Jul 27 15:52:37 CEST 2014
> ;; MSG SIZE  rcvd: 122
>

Unlike with your nslookup response, which gave an IPv4 address record
back, this response is actually a response saying that the requested
domain name does not exist (NXDOMAIN). A very different response.

Let's try to ask on the the authoritative DNS servers for
"zen.spamhaus.org". I see:

% dig  158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org. 

; <<>> DiG 9.10.0-P1 <<>>
  158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22021
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;158.24.39.46.zen.spamhaus.org. IN      A

;; ANSWER SECTION:
158.24.39.46.zen.spamhaus.org. 900 IN   A       127.0.0.11
158.24.39.46.zen.spamhaus.org. 900 IN   A       127.0.0.4

;; Query time: 26 msec
;; SERVER: 2001:7b8:3:1f:0:2:53:1#53(2001:7b8:3:1f:0:2:53:1)
;; WHEN: Sun Jul 27 19:33:46 CEST 2014
;; MSG SIZE  rcvd: 79


-- 
Carsten Strotmann
Email: cas at strotmann.de
Blog: strotmann.de